04-29-2011 02:10 PM - edited 03-04-2019 12:13 PM
Hello,
I am trying to use outside source NAT to modify a source IP address based on destination port for a downstream load balancer and can’t seem to get it to work. I would like to have my load balancer see the following, and my ftp source to be unaffected.
10.200.41.1 è 10.150.9.11 eq 20070
10.190.254.6 è 10.150.9.11 eq 20074
Here’s the config I’m trying to use.
interface FastEthernet0/0
ip address 10.200.41.105 255.255.255.0
ip access-group JH1in in
ip nat outside
!
!
interface Serial0/1/0
ip address 10.190.254.6 255.255.255.252
ip nat inside
!
!
ip access-list extended JH1in
permit tcp host 10.200.41.1 host 10.150.9.11 eq 20070
permit tcp host 10.200.41.1 host 10.150.9.11 eq 20074
permit tcp host 10.200.41.1 range ftp-data ftp host 10.127.9.42
!
!
ip access-list extended RT_redir_74
10 permit tcp host 10.200.41.1 host 10.150.9.11 eq 20074
!
!
ip nat pool RT-Host-74 10.190.254.6 10.190.254.6 netmask 255.255.255.252
ip nat outside source route-map rt_redir74 pool RT-Host-74
!
ip access-list extended RT_redir_74
10 permit tcp host 10.200.41.1 host 10.150.9.11 eq 20074
!
route-map rt_redir74 permit 10
match ip address RT_redir_74
Any suggestions would be greatly appreciated.
Thank you.
Brad
11-09-2011 07:05 AM
hello,
we are facing somehow the same problem: source NAT based on IP destination
Have you go further with this problem?
Thanks
02-22-2012 05:37 AM
Did any one of you manage to get this working?
Regards.
02-22-2012 06:01 AM
Gentlemen,
I have not tried to configure this personally but I see one major problem with this configuration: you are trying to perform NAT to the IP address of the inside interface itself. Now, according to the document at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
when a packet comes in the "inside-to-outside" direction, the routing is performed first, and only if the packet is deemed to be routed out some "outside" interface, it goes through the NAT process. However, in this case, the response from the internal device will be addressed to the router's inside interface itself. Therefore, the routing will determine that the packet should not be forwarded anywhere, thereby preventing the answer from inside to be ever delivered back.
I suggest changing the IP address in the NAT pool to a separate unused IP address within the scope of the internal interface's network.
Best regards,
Peter
02-22-2012 06:06 AM
Hi Peter,
I tried doing this with an unused pool of IP addresses but it didn't work.
Regards.
02-22-2012 06:19 AM
Hi,
Let me ask differently: what are you trying to achieve? What is the goal you want to accomplish?
Best regards,
Peter
02-22-2012 06:30 AM
Hi,
I want to be able to change the source IP address for traffic that is destined to a certain server inside the network.
The problem is that behind the router I'm configuring there is a firewall that has another router as it's default gateway.
So when traffic would come through the router that I want to configure, the reply from the server would go through the ASA and through another router (the default gateway of the ASA).
My idea is to change the source address of the incomming traffic destined for that server to some NAT pool and than have a static route on the ASA for that pool so that it will return the traffic through the router it came from (and not through the ASA's default gateway).
02-22-2012 07:22 AM
Hello,
This should work:
An example:
interface FastEthernet0/0
ip address 10.0.12.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.23.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto !
ip nat pool POOL 10.0.13.11 10.0.13.19 netmask 255.255.255.0 add-route
ip nat outside source route-map NAT pool POOL
!
ip access-list extended NAT
permit tcp host 10.0.23.3 host 10.0.12.1 eq telnet
!
route-map NAT permit 10
match ip address NAT
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 3 subnets
C 10.0.12.0 is directly connected, FastEthernet0/0
S 10.0.13.0 [0/0] via 0.0.0.0, NVI0
C 10.0.23.0 is directly connected, FastEthernet0/1
R2#
Now, the machine 10.0.23.3 can telnet into 10.0.12.1. The machine 10.0.12.1 has a route towards 10.0.13.0/24 (the NAT pool network) but does not know about the network 10.0.23.0/24, yet the communication succeeds.
Best regards,
Peter
02-24-2012 06:24 AM
Thank you very much Peter.
I got it working.
That "add-route
" was the key but I had to put it at the end of the ip nat command like this:
ip nat outside source route-map NAT pool POOL add-route
When placed at the end of the pool definition like you suggested it didn't work.
Thank you again!
02-24-2012 07:11 AM
Hello,
I am glad you got it running!
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide